- May 3, 2011
- 3,893
- Two of the glitches allowed to bypass access restrictionsAdobe rolled out a new update for Flash Player, which includes fixes for a set of three vulnerabilities, all of them having the highest severity rating on Windows and Mac platforms.
Two of the glitches eliminated by Adobe would allow an attacker to bypass access restrictions, although there is no information about the vectors that could be leveraged in the breach. These are the CVE identifiers CVE-2014-0537 and CVE-2014-0539 and have been attributed to Masato Kinugawa.
Another flaw, CVE-2014-4671, addressed in Adobe Flash Player 14.0.0.145, touches on validation checks of the content from JSONP callback APIs.
Based on the work of Google security researcher Michele Spagnuolo, a SWF file composed of alphanumeric characters can be used by a potential attacker to abuse JSONP endpoints.
The compromise relies on Flash Player’s inability to reject malicious content from vulnerable JSONPs callback APIs. Since SWF files can perform GET and POST requests to the domain that hosts it, a potential attacker can upload a malicious Flash file consisting of alphanumeric characters only in order to retrieve sensitive information.
Spagnuolo managed to make the SWF file conversion to alphanumeric characters using Rosetta Flash tool, which provides a compressed, alphanumeric equivalent of the binary Flash item using Zlib.
In fact, the researcher says that the entire process relies on inflation rather than compression, because the tool uses ad-hoc Huffman encoders that map non-allowed bytes to allowed ones.
Many high-profile domains were affected by the flaw, including those from Google, Twitter, Instagram, Tumblr, Olark, and eBay. However, some of them have already taken the necessary measures to protect against the vulnerability. The domains from Google, Twitter and Tumblr are currently protected against this sort of attack.
The update has the highest priority rating, which means that there is the possibility for the security glitches to be exploited in the wild. However, the company did not provide information of having such evidence.
As far as severity is concerned, the rating is critical, because malicious native code could be executed by a potential attacker, without the user being aware of it.
Updating to the latest version of Flash Player is imperative in this case. Users of Google Chrome, Internet Explorer 10 and 11 receive the new revision automatically, thanks to the auto-update mechanism included in the products; in some cases a browser restart is required for the update to complete.
Users that do not receive the update automatically are advised to install it manually as soon as possible in order to eliminate security risks.
Source
